Azure B2C securing metadata endpoint.

Osibote, Olamipo 21 Reputation points
2019-12-05T17:45:07.72+00:00

Does Azure B2C support custom policy metadata endpoint security using either basic authorization or certificate? The below does not appear to work as no certificate was sent to the API. I could not locate any documentation indicating that securing for metadata is supported however, I was able to locate documentation indication that RESTAPI security is supported.

alt text

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,960 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,590 questions
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,701 Reputation points
    2019-12-09T13:55:55.963+00:00

    @Osibote, Olamipo I checked on this but there is no way to secure metadata endpoints by using basic or certificate based authentication. You may consider storing the metadata to a different location like Azure Storage blob and provide private access for example.

    -----------------------------------------------------------------------------------------------------------

    Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.


1 additional answer

Sort by: Most helpful
  1. Andreas Helland 76 Reputation points
    2019-12-18T21:58:12.247+00:00

    Depending on your scenario you can skip exposing metadata endpoints if it is to be consumed by B2C. For instance Apple doesn't provide an openid-configuration endpoint so one can hardcode it instead in the custom policy:
    https://appleid.apple.com/auth/authorize
    https://appleid.apple.com/auth/token
    https://appleid.apple.com/auth/keys
    https://appleid.apple.com

    For the metadata endpoints exposed by B2C it's different - those you cannot lock down. It is however not considered a threat to have it exposed. (If so MSFT wouldn't expose the AAD Common metadata endpoint.) One would also assume MSFT has anti-DDOS mechanisms in place for core Azure services.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.